We use Auth0 management API (‘/api/v2/guardian/enrollments/ticket’) endpoint to create our custom enrolment.
Our system gets a response and use ‘ticket_url’ for user redirection. The user resolves this request with push notification got by his device.
And as a result auth0 system generates JWT token.
Payload:
{
“exp”: 1698128117,
“iss”: “https://{tenant_id}.guardian.us.auth0.com/”,
“nonce”: null,
“status”: “ok”,
“sub”: “auth0|{user_id}”,
“auth0_is_new_user”: false
}
We’re going to use this token for one time operation of our application. But there is a issue with this token validation.
We tried to use ‘https://{tenant_id}.guardian.us.auth0.com/.well-known/openid-configuration’ endpoint. But it’s not found (404).
We tried to use a key from 'https://{tenant_id}.us.auth0.com/.well-known/openid-configuration ’ . But it’s not valid for this token signature.
Would you please advise where can we get a public key from to validate this guardian JWT token?
Hi @asheremetyev,
Firstly, if you would like to see the OAuth endpoints, you can find them on your Dashboard > Applications > Your App and scroll to the bottom and click on Advanced Settings. On there, there is an Endpoints tab, click on it, and there should be a list of endpoints for your OpenID Configuration and JSON Web Key Set.
They should look something like the following:
- https://{yourDomain}.us.auth0.com/.well-known/jwks.json
- https://{yourDomain}.us.com/.well-known/openid-configuration
I would also encourage you to check out our Validate JSON Web Tokens documentation that outlines the steps to validate your JWT token.
Please let me know how this goes for you.
Thanks,
Rueben
Hi @rueben.tiow,
Thank you for your attention. But unfortunately it is not completely we’re searching for.
As you can see I’ve told about guardian JWT token. It is not access or ID token of main auth0 system.
Guardian JWT token we got:
Header:
{
“alg”: “RS256”
}
PAYLOAD:
{
“exp”: 1698128117,
“iss”: “https://{tenant_id}.guardian.us.auth0.com/”,
“nonce”: null,
“status”: “ok”,
“sub”: “auth0|{user_id}”,
“auth0_is_new_user”: false
}
SIGNATURE:
Fb5RiDW8XeXw0lzCGQv1m3eslW6eIem7WJOksO_E4Q5dISBo_s0Z7dfJ2WZqvJlC_X8uai-ubnRqPkZ0L0Th6diIGTdyeBy-dIBXTHwiIgAYKU4IsclmM5CvmCMfY0DGL3pov2tRLgVIdMXa0phE9kNXwg3JvIhehhDNuBcHWYUPywnllhDMqmBrvGyOIkLYAG_8qHhn8bB2AyDrUiiiBb715XmITWnw-igSwk7r_rl09oTvwSjnEWSEzLrzm2A11FrVh2Ns_iGv4Lqu5Cd8VWV9joxQRPgXa7L-HU2VMIpw0V1F7WPG0OUz1k0ixFUePqnYu4-NC9AeFTYMu2WgFg
Please pay your attention for ‘iss’ field. It is ‘https://{tenant_id}.guardian.us.auth0.com/’ . It’s not ‘https://{tenant_id}.us.auth0.com/’ issuer of access token.
We need to make sure if this token is valid. But we couldn’t find a public key for signature validation. Is it possible at all?
We have already checked Dashboard > Applications > Your App. But there are not any endpoints for guardian system.
Hi @asheremetyev,
Thanks for the reply.
Could you please explain where and how you got the JWT token?
During my tests, after MFA has been enrolled, the user is redirected to a page like the following:
I do not see where the system generates a JWT Token.
Thanks,
Rueben
@rueben.tiow,
yes, you’re right. By default it stops process with this screen. And in this case JWT token is generated but not sent.
But after the user has enrolled we would like more.
- The user has to return back to our system;
- Our system has to be sure if this user has really enrolled successfully.
We use MFA page customization (Branding → Universal Login → Advanced Options → Multi-factor Authentication). And set ‘postActionURL’ option for Auth0MFAWidget.
And now it doesn’t stop at that page. Now it POSTs to our system with 2 parameters: ‘rememberBrowser’ and ‘signature’ (JWT token).
We try to confirm ‘signature’ and make sure the user has enrolled successfully. Since if he does this our system gives him more permissions.
And this is that token we’re impossible to validate.
I’m not sure about ‘postActionURL’ usage for this scenario. I’ve found no helpful information. But this is the only way we found to confirm user enrollment action and return his back to our system.
Please let me know if there are a simpler ways to get it.
